Proposed Amendment to European Law Could Make HTTPS Less Secure, EFF Warns

HTTPS added a layer of privacy and security to common everyday browsing. The EFF warns an amendment could undo some of that.

HTTPS adds a layer of security and privacy to a person’s web browsing experience. There was a time when HTTPS was only seen as something that is only sensible for anything that involves financial transactions. However, as time went on, a movement was under way to make HTTPS a universal standard for all websites. Some observers opined that HTTPS for something as simple as browsing a news website is overkill, but various web browsers began designating any website that doesn’t have HTTPS as unsecure. That helped push many sites to adopt HTTPS. Another motivating factor is the fact that search engines favour sites with HTTPS over those that only offer plain HTTP connections.

Funnily enough, one of Freezenet’s main goals was to implement HTTPS. It was part of a very long to-do list and, when we got to that line item, that was when browsers were moving forward with plans to label sites with HTTP as insecure. It obviously didn’t change our plans given that we were in the midst of preparing the site to incorporate HTTPS anyway, but it did highlight the importance of such a move, giving us an added reason we really didn’t need. Regardless, we ultimately implemented HTTPS in early 2018. This despite the extremely limited resources we have at our disposal partly due to low returns on ad revenue and Patreon/Ko-Fi support.

Still, it is widely understood that HTTPS will better secure the users browsing experience. It adds a layer of protection against things like man-in-the-middle attacks as well as some forms of government snooping.

As a result of the actions of many website owners – including us – adoption of HTTPS became extremely commonplace. Earlier this year, the Electronic Frontier Foundation (EFF) announced that they would be sunsetting their HTTPS everywhere extension. The reason is a very optimistic one – HTTPS is now everywhere, defeating the need for the HTTPS Everywhere extension. By that point, it seemed like a story with a nice and happy ending. That, of course, is a rather rare thing to see in the world of technology and privacy these days.

Recently, however, a development is threatening to undermine this.

A proposed amendment to the European Digital Identity Framework (eIDAS) could threaten to undermine this. The amendment is known as Article 45. Critics say that it would require Certificate Authorities (CAs) to be sanctioned by the government before they can be a trusted third parties. The EFF says that this could make HTTPS less secure for everyone:

The proposed amendment requires CAs in all major root stores that are nationally approved by EU member countries. The amendment has no assurance that these CAs must meet the root store’s security requirements, no listed mechanisms to challenge their inclusion, and no required transparency.

This setup could also tempt governments to try “Machine-in-the-Middle”(MITM) attacks on people. In August 2019, the government of Kazakhstan tried to require installation of a certificate to scan citizen traffic for “security threats.” Google Chrome, Mozilla Firefox, and Apple Safari blocked this certificate. They were able to take this stand because they run independent root stores with proper security controls. Under this new regulation, this would not be as easy to do. The EU has much more reach and impact than one country. Even though eIDAS wasn’t intended to be anti-democratic, it could open the path to more authoritarian surveillance.

If adopted, the amendment would roll back security gains that so many worked hard to achieve in the past decade. The amendment should be dropped. Instead, these CAs should be pushed to meet requirements for transparency, security, and incident response.

Indeed, the state of HTTPS today took years of hard work. It required web browsers and search engines to be on board. It required building an entire CA to offer a free alternative to paid CA’s for websites that don’t generate the revenue to pay for a premium service. This to at least make money no longer a barrier to entry to making a website secure. There’s probably numerous other elements to make HTTPS more universal that we aren’t thinking of right now. So, little surprise that organizations like the EFF are upset at a legal amendment that would undermine all these years of hard work. The last thing organizations like the EFF would like to see is seeing all that hard work be for nothing.

What’s more is that it raises the question of whether or not it would be legally possible to come up with a system that would replace this layer of security in the first place. Never mind the fact that even if such a system is built, it would take years of hard work to make such a system a standard as universal as HTTPS these days.

Ultimately, this follows a familiar pattern we’ve been witnessing off and on over the last several years: governments trying to make the Internet at large less secure. In 2018, Australia passed encryption ban laws despite the universal condemnation such laws received. In 2019, the US and the UK teamed up to ban encryption in other countries as well. In that same year, Germany, the US, and UK joined forces to condemn Facebook for moving forward with end-to-end encryption. What’s more is that the five eyes spy agencies have been calling for backdoors to encryption for years.

Many security experts would agree that if you undermine security on the Internet, everyone becomes less safe. This is regardless of whether you are going after child abuse, pornography, misinformation, state sponsored election interference, or anything else that is declared a societal ill of the day. Once you start undermining security for the sake of surveillance, everyone becomes less secure in the end. Governments have been known to hit back against this logical thinking with political talking points. A popular one is that by siding with a secure Internet, you are siding with the bad guys. Another popular way governments hit back is to demand these experts to come up with something that is both secure and open to government surveillance. Experts will have no problem telling you how this is an impossible ask.

Obviously, this latest move is not going over well. The hope is that this amendment will not pass. These days, it’s hard to tell if something will actually pass or not. If Brexit and Donald Trump proved anything, its that you can’t trust that the most insane things will not actually come to pass because of magical checks and balances coming to the rescue. In the mean time, we can only hope that activism will pull through on this one.

Drew Wilson on Twitter: @icecube85 and Facebook.

1 Trackback or Pingback

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: